The InfoSec Blog

‘Fakeproof’ e-passport

Posted by Anton Aylward

The fingerprint created by that friction ridge...
My collegue Sami O. Koskinen said "I always felt like the new biometric passport is just a show" and I have to agree with him. He also has reservations about the idea of building a national fingerprint database covering all citizen, and I would think visitors to a country. He points out that the justification for this in his home country of Finland is that fingerprints are already taken for ID and passports.

The normal justification for such a policy, which seems to exceed those of even the most represive times at Stalinist Russia, is that it would ease solving crimes and help in crime prevention.

Well, for a start, I see from discussions in other forums that many people in IT and security don't understand the difference between preventive and detective controls, or even that detective controls are part of an effective security profile, so why should tech-ignorant (and proud of it) politicians see that point.

Fingerprinting is a baseline detective method in law enforcement, at least with serious crimes of violence. But then again, this has been well publicized and is only really of use in impulsive crimes where the perpetrator has not had the time or foresight to wear gloves.

A few years ago I went through a stage of reading a lot of detective novels. Lets face it, these are 'entertainment', not true crime'. As such, twisted plots are common. Never the less, there are no shortage of plots whereby fingerprint and DNA evidence is spoofed and subverted. There are no laws or controls that prevent criminals or potential criminals from reading these books, and nothing what so ever to stop them from coming up with even more creative and ingenious methods.

We've had references here to Schneier's "security as a state of mind" and how we security professionals have "twisted minds". That "twisted minds" designation has historically been applied to ingenious and inventive criminals.
According to my database of quotes, John Tandervold said:

"Each new law makes only a single guarantee. It will create new
criminals."

A similar thing can be said about security controls in general. Each will have have people who will find ways to bypass or subvert it.

Reblog this post [with Zemanta]